In order to gain access to applications or other resources via a computer or other user device, users are often required to authenticate themselves by entering authentication information. Such authentication information may comprise, for example, passwords that are generated by a security token carried by the user. These passwords may be one-time passwords that are generated using a time-synchronous or event-based algorithm. Other types of authentication information may include, for example, answers to so-called “life questions.” One particular example of a well-known type of security token is the RSA SecurID® hardware-based user authentication token commercially available from RSA Security Inc. of Bedford, Mass., U.S.A.
With respect to passwords generated by a security token, the security token may be of a type that can be electrically connected to the computer or other user device, such that the device can read a given password directly from the token. For other security tokens that are not connectable to a computer or other user device in this manner, the user may manually enter a password displayed by the token at the time of the attempted access.
A problem that arises in conventional authentication arrangements of the type described above is that the user typically has to provide authentication information separately for each application or other resource that he or she would like to access. In the case of a connectable security token, this may involve re-entering a personal identification number (PIN) each time the token is accessed by the device. In the case of a token that is not connectable, manual entry of different one-time passwords for each application may be required.
The actual authentication of the user for access to the applications generally occurs at a centralized authentication server or other authentication authority that receives the passwords or other authentication information from the user device via a network. Thus, the user may need to authenticate towards the same authentication authority a number of times in a short time frame. If the passwords are generated based on a time-synchronous algorithm, there may be a limit on how often users are able to authenticate.
One known technique that attempts to address this problem is the Kerberos Network Authentication Service, Version 5 (V5), described in J. Kohl et al., Internet Engineering Task Force (IETF), Request for Comments (RFC) 1510, September 1993. Unfortunately, applications must be modified in order to support Kerberos authentication. Moreover, Kerberos authentication requires the use of specially adapted communication protocols, and is not readily adaptable for use with standard communication protocols.
Accordingly, what is needed is an improved approach that avoids the repeated entry of authentication information but does not require changes to existing applications or communication protocols.